Data Protection

Data Protection legislation, namely the General Data Protection Regulations (“GDPR” - in Europe and UK) and the Protection of Personal Information Act (“POPIA” -in South Africa) governs the way in which personal information about you is held and processed. The following are some of the principles that the Company operates under (expanded and elaborated in the Company's internal POPIA manual and GDPR commitment (found as a hyperlink on the Company's website):

1. Data protection principles

  1. - Personal data should be processed fairly and lawfully.
  2. - Personal data shall be obtained only for one or more specific and lawful purposes and shall not be processed in any manner incompatible with those purposes.
  3. - Personal data shall be adequate, relevant and not excessive in relation to the purposes they are processed.
  4. - Personal data shall be accurate and, where necessary, kept up to date.
  5. - Personal data shall not be kept for longer than is necessary.
  6. - Personal data shall be processed in accordance with the individual's rights under the Act.
  7. - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data.
  8. - Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures adequate levels of protection for the rights and freedom of individuals in relation to the processing of their personal data.

2. Purposes of obtaining data

In order to fulfil individuals' contracts of employment, monitor sickness and performance, equal opportunity policies and otherwise administer the Company's business, we will use and process personal information relating to you which we have obtained during the course of your employment. Such information includes:

  1. - Employment history.
  2. - Personal circumstances.
  3. - Educational qualifications.
  4. - Sickness records.
  5. - Medical records.
  6. - Accident reports.
  7. - Attendance records.
  8. - Convictions.
  9. - Performance appraisals.
  10. - Disciplinary records.
  11. - Ethnic or racial origins.
  12. - Salaries.
  13. - Benefits.

In most cases you will have provided such information. In others the information has been provided by your manager, other employees, external referees, or in the case of medical records, your doctor.

We hold this personal data about you confidentially and will only disclose it to others where there is a need to do so, e.g. to give information about your earnings to the Revenue.

No sensitive data such as information about your health, racial or ethnic origins, criminal convictions, trade union membership, political or religious belief will be divulged to a third party without your permission, unless we have a specific legal requirement to process such data.

3. Accuracy of data

It is important that personal data held is accurate. You are required to inform the Company if you believe that your personal data is inaccurate or untrue or if you are dissatisfied with the information in any way.

4. Right to access information

Under the legislation, you are entitled to have access to certain personal data held about you. If you require access, you should contact your Line Manager. The request should be made in writing specifying the information required.

The information shall be provided as soon as reasonably practicable following receipt of the written request, or the provision by you of the additional information required by the Company for the purposes of locating any information, whichever is later.

5. Cybersecurity & Data Breach Policy

For the purposes of this policy, a personal data breach is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification or destruction of personal and/or sensitive data as described in this policy. The breach protocol is meant to address security incidents involving any and all personal data held, collected, processed and/or stored by the Company, including personal data under the control or responsibility of an affiliated business or third party.

The Company shall ensure that, inter alia, all personal data breaches are reported to the Regulator, investigated and contained within the Company or by the Company and in terms of this policy.

The following is an indication of the timelines necessary herein and to be followed by the Company and/or its Information Officer when responding to, investigating and reporting on any personal data breach within the Company:

5.1. Initial response to discovering personal data breach, or potential breach:

  1. - Identifying personal data breach or potential breach;
  2. - Involvement of Information Officer, IT/Server Department and any necessary and/or applicable parties;
  3. - Involvement of compliance department, legal department or similar (if applicable to the Company).

5.2. Immediate Response (0--1 Business Day):

  1. - Containment
  2. - Opening of Incident Report or POPI Breach report;
  3. - Escalation to the relevant individuals or authorative body(ies);
  4. - Activation of initial response plan and/or containment plan.

5.3. Continuing Response (0-15+ days)

  1. - Analysis and Planning (both in terms of closure of the pending breach and initiation of any plans regarding prospective breaches or the avoidance thereof);
  2. - Investigation;
  3. - Mitigation and Correction;
  4. - Notification.
  5. - Closing of Incident Report or POPI Breach report;
  6. - Final reporting (Information Officer, Regulator and Data Subjects)

5.4. Initial Response: the Company must take proactive steps to ensure that any personal data breach or potential breach is identified as soon as reasonably possible. Once identified, the Company, through its IT department and Information Officer, must bring the personal data breach or potential breach to the attention of the necessary parties who will be responsible for containing the personal data breach or potential breach.

5.5. Immediate Response: the Company, its IT department and the Information Officer must, when a breach is discovered, conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom personal information may reach. The Company may, over its areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance, area managers may attempt to contain and control an incident by suspending certain activities or locking and securing areas of record storage; Human Resources may suspend employees as appropriate to prevent compromising behaviour; and the Information IT Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.

5.6. If applicable, staff members closest to the incident will determine the extent of the breach or potential breach by identifying all information (and systems) affected, and take action to stop the exposure. This may include:

  1. - Securing or disconnecting affected systems;
  2. - Securing affected records or documentation;
  3. - Halting affected business processes;
  4. - Pausing any processes that may rely on exposed information or that may have given rise to the incident (as necessary to prevent further use/exposure/etc)

This would most typically occur in instances of electronic system intrusion, exposed physical (e.g. medical) files or records or similar situations.

5.7. If an active cyber-insurance policy exists or the need is otherwise determined, the Company or its Information Officer may contact contracted third parties (cyber-insurance vendors or affiliates) for breach response services and resources to include forensics, investigation and response consulting, notification and call center services. Though recommended to occur as soon as possible after discovery, this can occur at any point as more information is obtained or the need is otherwise determined.

5.8. All documentation, investigation and initial and/or containment reports must be kept throughout the personal data breach protocol procedure and included in any report from the Information Officer to the Regulator in terms of section 22 of the POPI Act.

5.9. As more information is gathered, responsible staff will assess each personal data breach or potential breach to determine appropriate handling. This may involve the development and use of internal procedures by individual departments. For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the Company. The manager, in turn, may escalate the incident to the director, VP, or other level (subject to the Company's internal structure and/or organogram).

5.10. This may also involve activating alternate plans - for instance, Data Recovery Plans and/or any applicable alternative.

5.11. Additionally, responsible departments will assess each personal data breach to determine which parties should be included in communications and/or the further reporting of the personal data breach incident. For instance, the Company or Information Officer may grant certain access and permissions pertaining to cases to include area managers, directors, and vice-presidents unless circumstances exist that would preclude sharing information - for instance, if a conflict of interest exists; if sharing the information could compromise an investigation; or if the responsible manager (or a friend or family member of the responsible manager) is involved as an affected party, as a subject, or in other ways

5.12. Continued response and reporting to the Regulator: all efforts, including but not limited to the initial reporting; the containment and any containment plans; any further planning and proposed corrections; and/or record of any correspondence or notice sent to any of the Company's affected data subjects must be kept and form a material part of the final incident report submitted to the Regulator in terms of section 22 of the POPI Act.

5.13. After containment of the personal data breach and implementation of any necessary containment plan; interim plan or relief; correction plan; data recovery plan; and/or similar plan implemented in response to the personal data breach, the Company's Information Officer must prepare a written report to submit to the Regulator.

5.14. The aforementioned written report must contain all necessary and material information pertaining to the personal data breach, including but not limited, any supporting documentation, investigation outcomes and/or improvement plans. The report must indicate whether the breach was low, moderate or high risk and the extent of the personal data breach, including but not limited to any actual damages suffered; any damage or injury to affected data subjects; and any potential or further threat created by the personal data breach.

5.15. The Information Officer must further notify all affected data subjects of the personal data breach as soon as reasonably possible after discovery of the personal data breach, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the breach and to restore the integrity of the Company's information system. The notification must be done in writing and communicated to the data subject in one of the following ways:

  1. - Mailed to the data subject's last known physical or postal address;
  2. - Sent by email to te data subject's last known email address;
  3. - Placed in a prominent position on the website of the Company;
  4. - Published in the news or media; or
  5. - As may be directed by the Regulator.

5.16. The notification must provide the affected data subjects with sufficient information to allow the data subject to take protective measures against the personal data breach, including -

  1. - A description of the possible consequences of the breach;
  2. - A description of the measures that the Company intends to take of has taken to address the personal data breach and/or security compromise;
  3. - A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the personal data breach; and
  4. - The identity of the unauthorised person or entity who may have accessed or acquired personal information, if known to the Company.

5.17. The Regulator may direct an Organisation to publicise, in any manner specified, the fact of any personal data breach or compromise to the integrity of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the breach.